If you find this add-on useful, please star it on GitHub — stars show appreciation and help maintainers know their work matters.
DDEV Bearer
Overview
This add-on integrates Bearer, a powerful static application security testing (SAST) tool, directly into your DDEV project.
It allows you to scan your source code for security and privacy vulnerabilities without leaving the DDEV workflow.
Key Benefits
- Early Detection: Discover security vulnerabilities in your codebase during development
- Comprehensive Coverage: Detects risks based on OWASP Top 10 and CWE Top 25 standards
- Data Flow Analysis: Analyzes your source code’s data flows to identify security and privacy risks
- Flexible Scanning: Customize scans by severity level, scanner type, and context
- Built-in Rules: Pre-configured rules for common security vulnerabilities
Main Features
- Multi-Scanner Support: Scan for various vulnerability types including secrets, credentials, and OWASP violations
- Severity Filtering: Focus on critical and high-severity issues or customize to your needs
- Configurable Rules: Customize scanning behavior through
bearer.ymlconfiguration file - Fingerprint-based Ignore Management: Mark specific findings as false positives and track them with author and comment metadata
- Context-Aware Scanning: Run scans with specific contexts (e.g., health, payment) for targeted analysis
Installation
ddev add-on get massiws/ddev-bearer
ddev restart
# Generates a default config to `bearer.yml`
ddev bearer init
After installation, you may want to customize the default configuration settings by editing the bearer.yml file:
see Bearer configuration docs for more information.
Important: Restart DDEV after making changes to the bearer.yml file.
Make sure to commit the .ddev directory and the bearer.yml file to version control.
Usage
| Command | Description |
|---|---|
ddev bearer |
Display available commands and usage information |
ddev bearer scan . |
Scan entire project using default configuration in bearer.yml |
ddev bearer scan . --severity critical,high |
Scan only for critical and high-severity issues |
ddev bearer scan . --scanner=secrets |
Scan specifically for hardcoded credentials and secrets |
ddev bearer scan <path/to/file> --context=health |
Scan specific file/folder with custom context (health, payment, finance, etc.) |
ddev bearer ignore add <fingerprint> --author "Your Name" --comment "Reason" |
Add fingerprint to ignore file and track with author/comment metadata |
Tips & Tricks
Auto-fill Author in Ignore Commands: To avoid specifying the author repeatedly, configure your Git username in DDEV globals:
ln -s $HOME/.gitconfig $HOME/.ddev/homeadditions/.gitconfig
This will automatically use your Git username for all ddev bearer ignore commands.
Documentation
For comprehensive information, refer to the Bearer CLI documentation:
Contributing & Support
Contributed and maintained by @massiws
For issues, feature requests, or contributions, please visit the GitHub repository.
If you find this add-on useful, please star it on GitHub — stars show appreciation and help maintainers know their work matters.